iam-policy-validator 1.1.0__tar.gz → 1.1.2__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of iam-policy-validator might be problematic. Click here for more details.
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/.github/workflows/release.yml +1 -3
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/DOCS.md +131 -24
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/Makefile +2 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/PKG-INFO +2 -2
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/README.md +1 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/default-config.yaml +253 -93
- iam_policy_validator-1.1.2/docs/development/PUBLISHING.md +281 -0
- iam_policy_validator-1.1.2/examples/policies/test-cases/allowed-wildcard-resource.json +21 -0
- iam_policy_validator-1.1.2/examples/policies/test-cases/invalid-resource-constraint.json +41 -0
- iam_policy_validator-1.1.2/examples/policies/test-cases/sensitive-action-wildcards.json +46 -0
- iam_policy_validator-1.1.2/examples/policies/test-cases/wrong-condition-key.json +27 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/__version__.py +1 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/__init__.py +2 -0
- iam_policy_validator-1.1.2/iam_validator/checks/action_resource_constraint.py +151 -0
- iam_policy_validator-1.1.2/iam_validator/checks/action_validation.py +72 -0
- iam_policy_validator-1.1.2/iam_validator/checks/security_best_practices.py +515 -0
- iam_policy_validator-1.1.2/iam_validator/checks/utils/__init__.py +1 -0
- iam_policy_validator-1.1.2/iam_validator/checks/utils/policy_level_checks.py +143 -0
- iam_policy_validator-1.1.2/iam_validator/checks/utils/sensitive_action_matcher.py +252 -0
- iam_policy_validator-1.1.2/iam_validator/checks/utils/wildcard_expansion.py +89 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/commands/__init__.py +3 -1
- iam_policy_validator-1.1.2/iam_validator/commands/cache.py +402 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/access_analyzer_report.py +2 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/aws_fetcher.py +79 -19
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/check_registry.py +3 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/cli.py +1 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/config_loader.py +1 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/defaults.py +103 -73
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/enhanced.py +6 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/policy_checks.py +21 -2
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/report.py +8 -1
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/pyproject.toml +9 -1
- iam_policy_validator-1.1.2/tests/test_action_resource_constraint.py +273 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_action_validation_check.py +6 -7
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_security_best_practices.py +179 -0
- iam_policy_validator-1.1.2/tests/test_sensitive_action_wildcard_expansion.py +316 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/uv.lock +51 -35
- iam_policy_validator-1.1.0/docs/development/PUBLISHING.md +0 -240
- iam_policy_validator-1.1.0/iam_validator/checks/action_validation.py +0 -192
- iam_policy_validator-1.1.0/iam_validator/checks/security_best_practices.py +0 -765
- iam_policy_validator-1.1.0/tests/test_wildcard_allowlist.py +0 -288
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/.github/dependabot.yml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/.github/workflows/ci.yml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/.gitignore +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/.python-version +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/CONTRIBUTING.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/LICENSE +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/action.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/docs/README.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/docs/configuration.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/docs/custom-checks.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/README.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/access-analyzer/example1.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/access-analyzer/example2.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/action-condition-enforcement-advanced.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/config-privilege-escalation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/custom-business-rules.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/custom-wildcard-config.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/none_of_example.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/configs/unified-condition-enforcement.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/README.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/advanced_multi_condition_validator.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/cross_account_external_id_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/domain_restriction_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/encryption_required_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/mfa_required_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/region_restriction_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/tag_enforcement_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/custom_checks/time_based_access_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/README.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/access-analyzer-only.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/action-examples.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/basic-validation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/custom-policy-checks.yml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/multi-region-validation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/resource-policy-validation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/sequential-validation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/github-actions/two-step-validation.yaml +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/README-privilege-escalation.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/api_gateway_management.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/athena_query_access.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/backup_vault_access.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/cloudformation_deployer.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/cloudwatch_monitoring.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/cognito_user_pool.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/dynamodb_table_access.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/ecs_task_execution.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/eventbridge_rules.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/glue_etl_jobs.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/insecure_policy.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/invalid_policy.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/kms_encryption_keys.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/lambda_developer.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/maximum_size_policy.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/policy_missing_required_tags.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/policy_tag_enforcement_example.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/policy_with_wildcard_resources.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/privilege_escalation_scattered.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/rds_database_admin.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/sample_policy.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/secrets_manager_access.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/sns_sqs_messaging.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/step_functions_workflow.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/test_none_of_valid.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/test_none_of_violations.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/examples/policies/test-cases/wildcard_examples.json +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/__init__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/__main__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/action_condition_enforcement.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/condition_key_validation.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/policy_size.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/resource_validation.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/checks/sid_uniqueness.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/commands/analyze.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/commands/base.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/commands/post_to_pr.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/commands/validate.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/__init__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/access_analyzer.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/aws_global_conditions.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/__init__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/base.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/console.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/csv.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/html.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/json.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/markdown.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/formatters/sarif.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/models.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/policy_loader.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/core/pr_commenter.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/integrations/__init__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/integrations/github_integration.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/iam_validator/integrations/ms_teams.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/scripts/sync_defaults_from_yaml.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/README.md +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/__init__.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_action_condition_enforcement.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_aws_fetcher_wildcards.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_aws_global_conditions.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_check_registry.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_comment_truncation.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_condition_key_validation_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_config_loader.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_custom_policy_checks.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_models.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_multipart_comments.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_policy_loader.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_policy_size_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_resource_validation_check.py +0 -0
- {iam_policy_validator-1.1.0 → iam_policy_validator-1.1.2}/tests/test_sid_uniqueness_check.py +0 -0
|
@@ -84,9 +84,7 @@ jobs:
|
|
|
84
84
|
!contains(steps.get_version.outputs.version, 'rc') &&
|
|
85
85
|
!contains(steps.get_version.outputs.version, 'beta') &&
|
|
86
86
|
!contains(steps.get_version.outputs.version, 'alpha')
|
|
87
|
-
run: uv publish
|
|
88
|
-
env:
|
|
89
|
-
UV_PUBLISH_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
|
|
87
|
+
run: uv publish --trusted-publishing always
|
|
90
88
|
|
|
91
89
|
- name: Create Release Summary
|
|
92
90
|
if: always()
|
|
@@ -17,7 +17,8 @@
|
|
|
17
17
|
7. [Built-in Checks](#built-in-validation-checks)
|
|
18
18
|
8. [Custom Validation Rules](#creating-custom-checks)
|
|
19
19
|
9. [Performance & Optimization](#performance-optimization)
|
|
20
|
-
10. [
|
|
20
|
+
10. [Cache Management](#cache-command)
|
|
21
|
+
11. [Development](#development)
|
|
21
22
|
|
|
22
23
|
---
|
|
23
24
|
|
|
@@ -176,7 +177,7 @@ jobs:
|
|
|
176
177
|
- name: Set up Python
|
|
177
178
|
uses: actions/setup-python@v5
|
|
178
179
|
with:
|
|
179
|
-
python-version: '3.
|
|
180
|
+
python-version: '3.12'
|
|
180
181
|
|
|
181
182
|
- name: Install uv
|
|
182
183
|
uses: astral-sh/setup-uv@v3
|
|
@@ -230,7 +231,7 @@ jobs:
|
|
|
230
231
|
- name: Set up Python
|
|
231
232
|
uses: actions/setup-python@v5
|
|
232
233
|
with:
|
|
233
|
-
python-version: '3.
|
|
234
|
+
python-version: '3.12'
|
|
234
235
|
|
|
235
236
|
- name: Install uv
|
|
236
237
|
uses: astral-sh/setup-uv@v7
|
|
@@ -284,7 +285,7 @@ jobs:
|
|
|
284
285
|
- name: Set up Python
|
|
285
286
|
uses: actions/setup-python@v5
|
|
286
287
|
with:
|
|
287
|
-
python-version: '3.
|
|
288
|
+
python-version: '3.12'
|
|
288
289
|
|
|
289
290
|
- name: Install uv
|
|
290
291
|
uses: astral-sh/setup-uv@v3
|
|
@@ -631,10 +632,50 @@ iam-validator post-to-pr --report report.json --no-review
|
|
|
631
632
|
iam-validator post-to-pr --report report.json --no-summary
|
|
632
633
|
```
|
|
633
634
|
|
|
635
|
+
### `cache` Command
|
|
636
|
+
|
|
637
|
+
Manage AWS service definition cache for improved performance:
|
|
638
|
+
|
|
639
|
+
```bash
|
|
640
|
+
iam-validator cache {info,list,clear,refresh,prefetch,location}
|
|
641
|
+
|
|
642
|
+
Subcommands:
|
|
643
|
+
info Show cache information and statistics
|
|
644
|
+
list List all cached AWS services
|
|
645
|
+
clear Clear all cached AWS service definitions
|
|
646
|
+
refresh Clear cache and pre-fetch common AWS services
|
|
647
|
+
prefetch Pre-fetch common AWS services (without clearing)
|
|
648
|
+
location Show cache directory location
|
|
649
|
+
```
|
|
650
|
+
|
|
651
|
+
**Examples:**
|
|
652
|
+
|
|
653
|
+
```bash
|
|
654
|
+
# Show cache information and statistics
|
|
655
|
+
iam-validator cache info
|
|
656
|
+
|
|
657
|
+
# List all cached AWS services
|
|
658
|
+
iam-validator cache list
|
|
659
|
+
|
|
660
|
+
# Clear all cached service definitions
|
|
661
|
+
iam-validator cache clear
|
|
662
|
+
|
|
663
|
+
# Refresh cache (clear and pre-fetch common services)
|
|
664
|
+
iam-validator cache refresh
|
|
665
|
+
|
|
666
|
+
# Pre-fetch common AWS services without clearing existing cache
|
|
667
|
+
iam-validator cache prefetch
|
|
668
|
+
|
|
669
|
+
# Show cache directory location
|
|
670
|
+
iam-validator cache location
|
|
671
|
+
```
|
|
672
|
+
|
|
634
673
|
---
|
|
635
674
|
|
|
636
675
|
## Configuration
|
|
637
676
|
|
|
677
|
+
> **📢 Configuration Change (v1.1.0+):** The `allowed_wildcards` configuration has moved from `action_validation_check` to `security_best_practices_check` for cleaner separation of concerns. If you have a custom config file, update it accordingly. See [Migration Note](#configuration-migration) below.
|
|
678
|
+
|
|
638
679
|
### Configuration File
|
|
639
680
|
|
|
640
681
|
Create a configuration file (e.g., `my-config.yaml`) based on [default-config.yaml](default-config.yaml):
|
|
@@ -682,7 +723,8 @@ sid_uniqueness_check:
|
|
|
682
723
|
action_validation_check:
|
|
683
724
|
enabled: true
|
|
684
725
|
severity: error
|
|
685
|
-
|
|
726
|
+
description: "Validates that actions exist in AWS services"
|
|
727
|
+
# Note: Wildcard security checks are handled by security_best_practices_check
|
|
686
728
|
|
|
687
729
|
# Validate condition keys
|
|
688
730
|
condition_key_validation_check:
|
|
@@ -697,12 +739,23 @@ resource_validation_check:
|
|
|
697
739
|
# Security best practices
|
|
698
740
|
security_best_practices_check:
|
|
699
741
|
enabled: true
|
|
742
|
+
# Define allowed wildcard patterns for safe read-only operations
|
|
743
|
+
allowed_wildcards:
|
|
744
|
+
- "s3:List*"
|
|
745
|
+
- "s3:Describe*"
|
|
746
|
+
- "ec2:Describe*"
|
|
747
|
+
- "iam:Get*"
|
|
748
|
+
- "iam:List*"
|
|
749
|
+
- "cloudwatch:Describe*"
|
|
750
|
+
- "logs:Describe*"
|
|
751
|
+
|
|
700
752
|
wildcard_action_check:
|
|
701
753
|
enabled: true
|
|
702
754
|
severity: medium
|
|
703
755
|
wildcard_resource_check:
|
|
704
756
|
enabled: true
|
|
705
757
|
severity: medium
|
|
758
|
+
# Inherits allowed_wildcards from parent
|
|
706
759
|
full_wildcard_check:
|
|
707
760
|
enabled: true
|
|
708
761
|
severity: critical # Action:* + Resource:* is critical!
|
|
@@ -750,12 +803,12 @@ See `examples/configs/` directory:
|
|
|
750
803
|
|
|
751
804
|
### 1. Action Validation
|
|
752
805
|
|
|
753
|
-
Verifies IAM actions exist in AWS
|
|
806
|
+
Verifies IAM actions exist in AWS service definitions. This check focuses **solely on validity** - security concerns like wildcards are handled by [Security Best Practices](#4-security-best-practices).
|
|
754
807
|
|
|
755
808
|
```json
|
|
756
809
|
{
|
|
757
810
|
"Effect": "Allow",
|
|
758
|
-
"Action": "s3:GetObject", // ✅ Valid
|
|
811
|
+
"Action": "s3:GetObject", // ✅ Valid action
|
|
759
812
|
"Resource": "*"
|
|
760
813
|
}
|
|
761
814
|
```
|
|
@@ -763,7 +816,15 @@ Verifies IAM actions exist in AWS services:
|
|
|
763
816
|
```json
|
|
764
817
|
{
|
|
765
818
|
"Effect": "Allow",
|
|
766
|
-
"Action": "s3:InvalidAction", // ❌ Invalid
|
|
819
|
+
"Action": "s3:InvalidAction", // ❌ Invalid - action doesn't exist
|
|
820
|
+
"Resource": "*"
|
|
821
|
+
}
|
|
822
|
+
```
|
|
823
|
+
|
|
824
|
+
```json
|
|
825
|
+
{
|
|
826
|
+
"Effect": "Allow",
|
|
827
|
+
"Action": "s3:List*", // ✅ Valid - wildcards skipped (checked by security_best_practices_check)
|
|
767
828
|
"Resource": "*"
|
|
768
829
|
}
|
|
769
830
|
```
|
|
@@ -820,38 +881,84 @@ Ensures Statement IDs are unique within a policy:
|
|
|
820
881
|
|
|
821
882
|
### 6. Wildcard Action Validation
|
|
822
883
|
|
|
823
|
-
The `
|
|
884
|
+
The `security_best_practices_check` handles all wildcard security validation with customizable allowlists:
|
|
885
|
+
|
|
886
|
+
```yaml
|
|
887
|
+
security_best_practices_check:
|
|
888
|
+
enabled: true
|
|
889
|
+
|
|
890
|
+
# Define allowed wildcard patterns (e.g., safe read-only operations)
|
|
891
|
+
# These patterns are considered acceptable and won't trigger warnings
|
|
892
|
+
allowed_wildcards:
|
|
893
|
+
- "s3:List*" # Safe: listing resources
|
|
894
|
+
- "s3:Describe*" # Safe: describing configurations
|
|
895
|
+
- "ec2:Describe*" # Safe: read-only operations
|
|
896
|
+
- "iam:Get*" # Safe: non-sensitive IAM reads
|
|
897
|
+
- "iam:List*" # Safe: listing IAM entities
|
|
898
|
+
- "cloudwatch:Describe*"
|
|
899
|
+
- "logs:Describe*"
|
|
900
|
+
|
|
901
|
+
# Wildcard resource check uses allowed_wildcards
|
|
902
|
+
# Resource: "*" is acceptable if ALL actions match allowed_wildcards
|
|
903
|
+
wildcard_resource_check:
|
|
904
|
+
enabled: true
|
|
905
|
+
severity: medium
|
|
906
|
+
# Optionally override parent allowed_wildcards for this check:
|
|
907
|
+
# allowed_wildcards:
|
|
908
|
+
# - "s3:List*"
|
|
909
|
+
|
|
910
|
+
# Flag service-level wildcards (e.g., "s3:*")
|
|
911
|
+
service_wildcard_check:
|
|
912
|
+
enabled: true
|
|
913
|
+
severity: high
|
|
914
|
+
# Allow specific services to use wildcards
|
|
915
|
+
allowed_services:
|
|
916
|
+
- "logs"
|
|
917
|
+
- "cloudwatch"
|
|
918
|
+
```
|
|
824
919
|
|
|
920
|
+
**Note:** The `action_validation_check` now focuses solely on validating that actions exist in AWS service definitions. All wildcard security concerns are handled by `security_best_practices_check`.
|
|
921
|
+
|
|
922
|
+
### Configuration Migration
|
|
923
|
+
|
|
924
|
+
If you have a custom configuration file from before v1.1.0, update it as follows:
|
|
925
|
+
|
|
926
|
+
**Before (v1.0.x):**
|
|
825
927
|
```yaml
|
|
826
|
-
# Allow specific wildcard patterns (e.g., read-only operations)
|
|
827
928
|
action_validation_check:
|
|
828
929
|
enabled: true
|
|
829
930
|
severity: error
|
|
830
|
-
# Override default allowlist with custom patterns
|
|
831
931
|
allowed_wildcards:
|
|
832
|
-
- "s3:Get*"
|
|
833
932
|
- "s3:List*"
|
|
834
933
|
- "ec2:Describe*"
|
|
835
|
-
- "cloudwatch:*" # Allow all CloudWatch actions
|
|
836
|
-
# Disable informational wildcard warnings
|
|
837
934
|
disable_wildcard_warnings: true
|
|
838
935
|
```
|
|
839
936
|
|
|
840
|
-
|
|
841
|
-
|
|
937
|
+
**After (v1.1.0+):**
|
|
842
938
|
```yaml
|
|
939
|
+
action_validation_check:
|
|
940
|
+
enabled: true
|
|
941
|
+
severity: error
|
|
942
|
+
# allowed_wildcards removed - moved to security_best_practices_check
|
|
943
|
+
# disable_wildcard_warnings removed - no longer needed
|
|
944
|
+
|
|
843
945
|
security_best_practices_check:
|
|
844
946
|
enabled: true
|
|
845
|
-
#
|
|
846
|
-
|
|
947
|
+
# Move allowed_wildcards here
|
|
948
|
+
allowed_wildcards:
|
|
949
|
+
- "s3:List*"
|
|
950
|
+
- "ec2:Describe*"
|
|
951
|
+
|
|
952
|
+
wildcard_resource_check:
|
|
847
953
|
enabled: true
|
|
848
|
-
|
|
849
|
-
# Allow specific services to use wildcards
|
|
850
|
-
allowed_services:
|
|
851
|
-
- "logs"
|
|
852
|
-
- "cloudwatch"
|
|
954
|
+
# Automatically inherits allowed_wildcards from parent
|
|
853
955
|
```
|
|
854
956
|
|
|
957
|
+
**Why this change?**
|
|
958
|
+
- **Clearer separation**: Action validation checks **validity**, security checks handle **safety**
|
|
959
|
+
- **Less confusion**: No overlap between validation and security concerns
|
|
960
|
+
- **Better architecture**: Wildcard security logic is centralized in one place
|
|
961
|
+
|
|
855
962
|
---
|
|
856
963
|
|
|
857
964
|
## Creating Custom Checks
|
|
@@ -1060,7 +1167,7 @@ make check
|
|
|
1060
1167
|
|
|
1061
1168
|
### Publishing
|
|
1062
1169
|
|
|
1063
|
-
See
|
|
1170
|
+
The project uses **trusted publishing** to PyPI via GitHub Actions - no API tokens required. See [release.yml](.github/workflows/release.yml) for the automated release workflow.
|
|
1064
1171
|
|
|
1065
1172
|
### Contributing
|
|
1066
1173
|
|
|
@@ -34,7 +34,7 @@ dev:
|
|
|
34
34
|
uv sync
|
|
35
35
|
|
|
36
36
|
# Sync defaults.py from YAML config
|
|
37
|
-
sync-defaults:
|
|
37
|
+
sync-defaults: clean
|
|
38
38
|
@echo "Syncing defaults.py from default-config.yaml..."
|
|
39
39
|
@uv run python scripts/sync_defaults_from_yaml.py
|
|
40
40
|
|
|
@@ -46,6 +46,7 @@ clean:
|
|
|
46
46
|
@rm -rf .pytest_cache/
|
|
47
47
|
@rm -rf .mypy_cache/
|
|
48
48
|
@rm -rf .ruff_cache/
|
|
49
|
+
@rm -rf .benchmarks
|
|
49
50
|
@find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true
|
|
50
51
|
@find . -type f -name "*.pyc" -delete
|
|
51
52
|
@find . -type f -name "*.pyo" -delete
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: iam-policy-validator
|
|
3
|
-
Version: 1.1.
|
|
3
|
+
Version: 1.1.2
|
|
4
4
|
Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
|
|
5
5
|
Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
|
|
6
6
|
Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
|
|
@@ -197,7 +197,7 @@ jobs:
|
|
|
197
197
|
- name: Set up Python
|
|
198
198
|
uses: actions/setup-python@v5
|
|
199
199
|
with:
|
|
200
|
-
python-version: '3.
|
|
200
|
+
python-version: '3.12'
|
|
201
201
|
|
|
202
202
|
- name: Install uv
|
|
203
203
|
uses: astral-sh/setup-uv@v3
|